CVE-2024-11179
📋 TL;DR
This SQL injection vulnerability in the MStore API WordPress plugin allows authenticated attackers with Subscriber-level access or higher to inject malicious SQL queries via the 'status_type' parameter. This can lead to unauthorized data extraction from the database, affecting all WordPress sites using vulnerable versions of the plugin.
💻 Affected Systems
- MStore API – Create Native Android & iOS Apps On The Cloud WordPress plugin
📦 What is this software?
Mstore Api by Inspireui
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive database information including user credentials, personal data, and administrative details, potentially leading to complete site compromise.
Likely Case
Attackers with subscriber access could extract user data, modify database content, or escalate privileges within the WordPress installation.
If Mitigated
With proper input validation and parameterized queries, the vulnerability would be prevented entirely.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is commonly available. SQL injection techniques are well-documented and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.15.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3190678/mstore-api/trunk/controllers/helpers/vendor-admin-wcfm-helper.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MStore API plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.15.8+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate mstore-api
Web Application Firewall Rule
allBlock SQL injection patterns targeting the status_type parameter
🧯 If You Can't Patch
- Restrict user registration and review existing Subscriber-level accounts for suspicious activity
- Implement network-level filtering to block SQL injection patterns and monitor database query logs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MStore API version. If version is 4.15.7 or lower, system is vulnerable.Check Version:
wp plugin get mstore-api --field=versionVerify Fix Applied:
Verify plugin version is 4.15.8 or higher in WordPress admin panel. Test API endpoints that use status_type parameter with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries containing SQL keywords like UNION, SELECT, INSERT in status_type parameter
- Multiple failed login attempts followed by SQL injection patterns
Network Indicators:
- HTTP POST requests to */wp-json/mstore/* endpoints with SQL payloads in status_type parameter
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="*wp-json/mstore*" AND (status_type="*UNION*" OR status_type="*SELECT*" OR status_type="*INSERT*")🔗 References
- https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.15.5/controllers/helpers/vendor-admin-wcfm-helper.php#L803
- https://plugins.trac.wordpress.org/changeset/3190678/mstore-api/trunk/controllers/helpers/vendor-admin-wcfm-helper.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b308bddf-a153-4d5b-936f-2170a1a494a5?source=cve
